0

One of the remediation suggestions to go with PoisonTap is enforce the use of SSL on applications to dissuade sniffing/modification of data. What if the attacker also employed SSL stripping? From Samy Kamkar's post on PoisonTap -

...allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain

So the attacker forces SSL communication to flow through their proxy and carries out SSL stripping. Agreed that a careful user might notice the difference in URL and go no further, but chances are the average user may not notice that.

My question in a nutshell - is there a mitigating factor to counter this scenario?

schroeder
  • 123,438
  • 55
  • 284
  • 319
katrix
  • 533
  • 2
  • 13
  • I'm not sure the use case is to leave the device plugged in, which means all the user browsing attacks happen from the installed or remote malware. – schroeder Nov 17 '16 at 21:57
  • By "leave the device plugged in", if you're talking about leaving the PoistonTap USB plugged in to the victim computer, I don't think you need to. The PoisonTap post says: "allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain" – katrix Nov 17 '16 at 22:00
  • Right, so I'm not sure that SSL stripping is an option? You would have to install the stripping code on the victim as a stand alone. – schroeder Nov 17 '16 at 22:06
  • Maybe I'm misunderstanding your point here. Doesn't SSL stripping happen at a proxy that the victim is forced to direct their traffic through? The proxy could be a remote proxy and PoisonTap forces communication through that proxy. I'm having trouble understanding what installing the stripping code is. SSL stripping is not performed by any client side installed code, but rather by a proxy. – katrix Nov 17 '16 at 22:11
  • My question is how PoisonTap comes into play since the SSL striping is a separate process, that's all. Either installed on the proxy installed on the victim or on the remote attacker's server. – schroeder Nov 17 '16 at 22:25
  • @katrix: SSL stripping needs to happen at a proxy that the HTTPS traffic passes through. PoisonTap only hijacks unencrypted HTTP. – Ben Voigt Nov 17 '16 at 22:29
  • @schroeder: Ah! But my question is more on whether PoisonTap could be more successful when used with SSL stripping, and not so much focusing on SSL stripping in itself. – katrix Nov 17 '16 at 22:35
  • @Ben Voigt: PoisonTap also makes all traffic proxy through an attackers proxy. It can't do much beyond that since traffic would be encrypted. Which is where SSL stripping could come in – katrix Nov 17 '16 at 22:36
  • @katrix: I don't think it does. I think it makes HTTP traffic to a certain (large) set of sites use a remote proxy, by placing malicious scripts in cache, allegedly sources from those sites. It can't do that for HTTPS addresses. – Ben Voigt Nov 17 '16 at 22:39

1 Answers1

2

PoisonTap works on the same level as ARP or DHCP spoofing or a rogue access point. This means that the same restrictions apply (i.e. HTTPS can not be decrypted and thus the plain text not sniffed or modified) and the same possibilities (HTTP can be sniffed and modified).

This also means that enforcing the use of HTTP instead of HTTPS using SSL stripping will work with PoisonTap the same as it does with the other attack vectors, i.e. it works as long the connection does not start as HTTPS but there is an initial HTTP request which can be hijacked and modified to remove any HTTPS and HSTS headers from the response. But there is actually nothing specific to PoisonTap here compared to the other usages of SSL stripping.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424